Bit9

Fake Adobe Flash downloads seem to be a perfect social engineering attack. After all, we are all used to automatically accept updates of Flash and similar technologies. In a sense, this is a similar strategy to last year's Fake XP Re-Activation case. Let's hope that this will be the demise of release-poor-code patch-later philosophies.

Yet we are all news junkies, and as such will be hearing more about these types of attacks in the coming weeks. As of today "CNN Top 10" emails have gotten a bit more sophisticated. They now read: "CNN Alerts: Breaking news". Much less suspect message, as I never cared much about Top 10 of anything, but would be curious about that Breaking News event.

What makes it more exciting is a hint. Latest Fake Adobe Flash peddling SPAM tries to guess my economic, wellness or political interest. It becomes a worthy marketing study: "what would it take to make me click on a news link?"

For example,

if I was following latest business news, I could pick:
msnbc.com - BREAKING NEWS: Jerry Yang relinquishes control over Yahoo

If I was incensed about the state of the economy:
msnbc.com - BREAKING NEWS: Oil prices rises due to attacks

If I was keeping up with the pre-election madness:
msnbc.com - BREAKING NEWS: Abortion outlawed in California

If I was tracking foreclosure fiasco:
msnbc.com - BREAKING NEWS: Fredie Mac losses mount, loses billions every month

If I was wellness junkie:
msnbc.com - BREAKING NEWS: Vitamin C shows promise in anti-cancer trials

If I was technology mad:
msnbc.com - BREAKING NEWS: Microsoft announces takeover bid for Intel

Best of all, social engineering tactics are well positioned for attacking social networks. Kaspersky researchers have recently discovered fake Adobe Flash downloads attached to picture links posted in Twitter updates. As identity theft shifts to stealing social network identities, it will no longer be necessary to create bogus social network account on Twitter or Facebook. Stolen identities will be sufficient for the next iteration of these attacks.

Sadly, good mitigation strategies are few. Our SPAM protection would have to be stellar, which is not. SPAM still gets through. We would have to be able to trust digital certificates, which we cannot, thanks to loose certificate issuance policies. We would need to assess from where automatic downloads originate, something that is not trivial even for expert users. Adobe recommends that you only install Flash and its updates from official sites, as if my grandmother knows where Flash comes from. It is also contrary to the viral marketing strategy that was always behind Flash. This strategy has been for years providing automatic download of Flash behind each and every flash animation. Adobe's advice is what it is, provided "AS IS". Nice touch.